[Koha-bugs] [Bug 12831] local only logins should still work when ldap authentication is enabled

[bugzilla-daemon at bugs.koha-community.org]

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12831

--- Comment #8 from Dobrica Pavlinusic <dpavlin at rot13.org> ---
Upon further investigation, I decided to obsolete my patch because I suspect
that if fixes problem only for our particular installation instead of providing
general solution to problem. Let me explain...

Problem comes from the fact that in LDAP bind we can't distinguish between
users which doesn't exist in LDAP and invalid passwords. Both of those return
LDAP_INVALID_CREDENTIALS (in our installation we have a bit of LDAP software in
between which creates invalid DN for users which are not in LDAP, but that is
not generally applicable).

This means that we have to know (somehow) weather users should use LDAP
passwords or not. Currently we don't have that information.

One possibility is to do LDAP search (anonymous or via some account) and if
user does exist in LDAP force him to provide proper LDAP password. However,
this might not be practical because it creates additional load on LDAP server
on one hand, and on another anonymous searches might be disabled (that's
probably why we are using auth_by_bind in the first place) or there might not
be special user which can search whole LDAP (or library might not have
permissions to add such user which is our case).

Another possibility is to track locally in Koha if users should use LDAP or
local passwords. This might be implemented simply by invalidating local
password (with word LDAP for example :-) which would prevent local fallback
from working if user is logged in using LDAP.

I'm biased towards second solution but I would love to hear some feedback about
it before producing code.

However, in any case we don't have clear migration path for existing
installations because they do have local LDAP passwords in database (like we
do). After first LDAP login users will have local password invalidated, but
users which never login with correct LDAP password (or who are already
disabled) we still be able to login using cached password.

To be quite honest, I did use that side-effect of old code which allowed our
patrons to login while LDAP wasn't available, so it might even make sense to
have that behavior again (as LDAP configuration option perhaps). But if that is
the case, we again don't have ability to expire users just in LDAP and expect
them to be disabled in Koha also.

-- 
You are receiving this mail because:
You are watching all bug changes.